Infrastructure | How to establish password-less login with SSH11 May 2014
In present (post production) IT infrastructure many different workstations, servers etc. have to be maintained on a daily basis. When running on
*nix operating systems, the main tool to log into and execute arbitrary code on a remote machine is SSH .
Usually with a call like
you would be asked every time to enter the password of user Bob. This is not very efficient and also less secure then using key based authentication.
Furthermore the usage of passwords hinders the use of tools like Python fabric for automating certain tasks inside your pipeline e.g. remote backup scripts, deployment scripts.
Keep in mind that with ssh you are not limited to machines inside your local network. You can also use keybased ssh to securely log into machines in remote datacenters and even cloud computers like EC2 instances inside the Amazon public cloud (AWS).
In this tutorial we want to establish a password less and secure connection over ssh between two different computers in your IT environment. Computer A (COMP-A) with user Alice wants to connect to Computer B (COMP-B) with the user Bob.
In order to do so, we will be connecting over ssh with previously set private/public keys. The steps in this tutorial involve:
- Creating authentication keys on computer A
- Create a .ssh directory on computer B
- Store or send the generated public key to computer B
- Set correct rights to the key file and folder
We will explain the commands used in the tutorial when they occur. For details on the commands used or on SSH in general please check out the manual pages of e.g. ssh with
and the Further Reading section at the end.
Step 1: Create authentication keys on Computer A
Start (or login) on Computer A with user Alice and generate RSA private/public keys by executing the following command in your Terminal:
ssh-keygen -t rsa
When executing above command, you will be asked several questions. The first will be about where to store the keys. Leave it at its default and simply press Enter. The second prompt will ask you for a security passphrase, do not enter anything and leave it empty. Again just press Enter to proceed. The passphrase is another layer of security you can add to your keys. For internal usage it is not necessary.
Your Terminal output will look similar to this:
Generating public/private rsa key pair. Enter file in which to save the key (/home/alice/.ssh/id_rsa): [Press enter key] Created directory '/home/alice/.ssh'. Enter passphrase (empty for no passphrase): [Press enter key] Enter same passphrase again: [Press enter key] Your identification has been saved in /home/alice/.ssh/id_rsa. Your public key has been saved in /home/alice/.ssh/id_rsa.pub. The key fingerprint is: af:4f:35:82:d4:04:61:10:6d:11:f0:eb:1d:69:54:4f alice@comp-a The key's randomart image is: +--[ RSA 2048]----+ | ..oooF.++| | +. o.o | | .. . | | o . . .| | S . . + | | + . . o| | . . o +.| | + + | | +. | +-----------------+
Step 2: Create the .ssh directory on Computer B
After the creation of your local keys you need to transfer them to Computer B. Therefore a specific folder called .ssh needs to be created inside the home folder of Bob on Computer B (if it doesn't already exist). OpenSSH needs this folder to lookup previously stored keys and connected hosts.
Use SSH from Computer A to connect Computer B using Bob as user and create the .ssh directory. You can use the following command:
ssh bob@com-b mkdir -p .ssh
This command will connect to Computer B and then use mkdir to create the folder .ssh inside Bob's home folder.
If this is your first time connecting to Computer B, you will be prompted an authenticity message. This is for security reasons and will ask you if you know the host you are connecting to. Read it carefully and then enter yes. After that you will be as usual prompted with the password of the user Bob for this machine.
Your output will look similar to:
The authenticity of host 'comp-b (126.96.36.199)' can't be established. RSA key fingerprint is e5:51:92:42:c3:cf:d7:e2:d0:0d:00:7f:12:37:25:2b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '188.8.131.52' (RSA) to the list of known hosts. bob@comp-b password: [Enter Your Password Here]
After this the folder .ssh should have been created on Computer B.
Step 3: Upload your generated public key to Computer B
From Step 1 the generated RSA keys have been stored into the .ssh folder inside the home folder of Alice. Go check them out as user Alice on Computer A with
You will find the following files inside this directory by listing them with the ls command:
alice@comp-a:~/.ssh$ ls id_rsa id_rsa.pub known_hosts
The file id_rsa contains your private key. You have to keep this file secret and secure. Your job (life) depends on it.
The file id_rsa.pub contains your public key. This is the file you can share with computers to which you want to connect without entering a password.
Again you can use SSH to connect to Computer B and upload the id_rsa.pub public file into the recently created .ssh folder. The file needs to be renamed to authorized_keys.
Enter the following command as Alice on Computer A to send the contents of id_rsa.pub into the new file authorized_keys on Computer B:
cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys'
The above command uses cat to print out the contents of id_rsa.pub to standard out and immediately pipes the output with the pipe operator
| into the command that is run after the ssh connection is established to Computer B.
This final command is again a cat which is used in conjunction with the output redirection operator
>> to create a new file authorized_keys inside the .ssh folder.
You will be yet again prompted to enter the password. Just hold up - we are almost in password-less ssh heaven.
[alice@comp-a ~]$ cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys' bob@comp-b password: [Enter Your Password Here]
Step 4: Set Permissions on Computer B
The final step is to set the correct permissions with chmod for the authorized_keys file and the .ssh directory on Computer B. This is due to security reasons and different SSH versions that might be running on both computers in connection.
ssh bob@comp-b "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
You will be prompted the last time for a password. After this call you are done.
Optional Step: Restore your SELinux settings on Computer B
If you are running a Linux version which has SELinux enabled, you might have to run the following command on the home folder of Bob.
restorecon -R -v /home/bob/.ssh
Step 5: Password less login from Computer A to Computer B
Finally! If you ssh from user Alice on Computer A to user B on Computer B there should not be any password prompt.
In case your keyfile is not located in the .ssh folder you can use the
-i argument of ssh to define the path to the private keyfile:
ssh -i /path/to/private_key bob@comp-b